Versions Compared

Old Version 9

changes.mady.by.user W.Erber

Saved on

compared with

New Version Current

changes.mady.by.user W.Erber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
TOC
TOC
Include Page
KBCOMMON:KB-CSSstyle
KBCOMMON:KB-CSSstyle

...

The key-pair is (optionally) created and then assigned to the Charon cloud instance at first launch. If a new key-pair is created, the private key can be downloaded during creation.

Make sure to store the private key in a safe place. If it is lost, access to the instance may be permanently lost.

Div
classpagebreak


Adapting the SSH Daemon Configuration of the Charon Host System

...

Steps on the Charon Host System

Creating a VPN Bridge Manuallya VPN Bridge Manually

Please note: should you plan to manage this bridge later using the Charon Manager, you must adhere to the Charon-SSP naming conventions for virtual bridges:

  • Bridge name: br_<name-of-bridge>
  • TAP name for emulator connection: tapX_<name-of-bridge> (where X stands for an integer identifying the tap interface)
  • TAP name for tunnel connection: tap0

To create a bridge for the VPN tunnel manually, use commands similar to the following:

...

To make the configuration permanent, you can use ifcfg-files, nmcli commands, or a custom startup script - depending on your requirements and your host operating system version.

Linux versionnetwork-scripts method (ifcfg-files)NetworkManager (nmcli)
7.x

Installed by default.

NM_CONTROLLED=no forces ifcfg-file use

Installed by default.
8.x

Deprecated but available;
needed if TAP interfaces are to be configured in ifcfg-files.

Preferred configuration method.
Used by the Charon-SSP Manager starting with Linux 8
.x.
9.xNo longer available.
For interface types supported by the ifcfg-rh plugin, ifcfg-files can be used.		Only method with full functionality.
Must be used for TAP interfaces.


Div
classpagebreak


Sample ifcfg-files for CentOS/RHEL 7:

...

Code Block
languagetext
nmcli conn add type bridge con-name br_vpn0 ifname br_vpn0 ipv4.method manual ipv4.addresses 192.168.0.10/24 \ 
      ipv6.method disabled
nmcli conn add type tun mode tap autoconnect yes con-name tap0_vpn0 ifname tap0_vpn0 master br_vpn0


Div
classpagebreak


Creating a VPN Bridge using the Charon-SSP Manager

...

Perform the following steps to configure a VPN bridge:

  • Set Create for SSH VPN to ON,
  • Enter the Number of virtual adapters (TAP interfaces) required. These interfaces will be assigned to the emulated SPARC systems as Ethernet interfaces.
  • Configure the IP address for the bridge interface.
  • Set the Netmask.

(warning) This Please note: this interface and the interface on the remote Linux system must be in the same IP subnet.

Click on OK to save your configuration.

...

Click on OK to save the configuration change.

(info) If If the emulated instance is currently running, the guest must be shut down and the emulated instance must be restarted for the change to become active.

Div
classpagebreak


Steps on the Remote Linux System

(warning) The Please note: the steps on the Charon host must be performed first.

...

ActionCommand
Create TAP interface# ip tuntap add dev tap0 mod tap
Enable TAP interface# ip link set tap0 up
Create bridge# ip link add name br_vpn0 type bridge
Enable bridge interface# ip link set br_vpn0 up
Define IP address for bridge# ip addr add 192.168.0.1/24 dev br_vpn0
Add TAP interface to bridge# ip link set tap0 master br_vpn0

Start  the SSH tunnel

autossh is a program to start a copy of ssh and monitor it, restarting it
as necessary should it die or stop passing traffic.

Once started, you can move the program to the background.

# autossh -M 9876 -o ServerAliveInterval=60 -o Tunnel=ethernet \
  -w 0:0 -t -i <path-to-private-key> -NCT <username>@<public-AWS-instance-IP>

(info) The     The value for username depends on the Charon product: 

All products: root (or another configured user with the correct privileges and authorized_keys file).
Charon-SSP Baremetal and Charon marketplace images: sshuser 

-M defines the monitoring port autossh uses to monitor the connection
-o  sets SSH options (bridged tunnel and keepalive)
-i   denotes the path to the private key matching the public key copied to the host system.
-w denotes the number of the local and remote tunnel interfaces for tunnel device forwarding
     (e.g., the 0 in interface tap0). 
-N denotes that no remote command should be executed
-T disables pseudo-terminal allocation
-C requests data compression

...